Using Claim Rules for Authorization

Updated: May 5, 2010

Applies To: Active Directory Federation Services (AD FS) 2.0

In Active Directory Federation Services (AD FS) 2.0, claim rules are stored in the AD FS configuration database for both transformation and authorization. Because they define special claim types for permitting and denying users, claim rules are also used by AD FS 2.0 to determine whether a user can obtain claims for a relying party. The following sections provide details about how AD FS 2.0 processes authorization.

In AD FS 2.0, authorization claim rules are associated with relying party trusts only. Authorization processing follows a process that is similar to the process for issuing claims that is described in Using Claim Rules for Issuing Claims. First, claims that come from a claims provider are normalized and filtered by the claims provider trust’s acceptance transform rules. Then, the authorization rule set is processed. If the user is denied access when AD FS 2.0 processes the rule set, further rules processing shuts down, and AD FS 2.0 returns an “Access denied” error to the user’s request.

AD FS 2.0 defines two claim types that are used to determine whether a user is permitted or denied. These claim type Uniform Resource Identifiers (URIs) are as follows:

Permit: http://schemas.microsoft.com/authorization/claims/permit

Deny: http://schemas.microsoft.com/authorization/claims/deny

The AD FS 2.0 authorization claim rules operate as follows:

If no permit claim is placed into the output set, the user is denied access (deny by default).

If a deny claim is placed into the output set, the user is denied access (deny overrides).

It follows from these rules that for a user to be permitted by the rules, a permit claim must be generated without any deny claims. The Permit All Users rule template permits all users by simply generating a permit claim into the output set, regardless of the claims in the input set.

Several sets of claim rules perform authorization for different operations.

Issuance Authorization Rules: These rules determine whether a user can receive claims for a relying party and, therefore, access to the relying party.

Delegation Authorization Rules: These rules determine whether a user can act as another user to the relying party. When a user is acting as another user, claims about the requesting user are still placed in the token.

Impersonation Authorization Rules: These rules determine whether a user can fully impersonate another user to the relying party. Impersonating another user is a very powerful capability, because the relying party will not know that the user is being impersonated.